Every minute spent quoting variables by hand and working around the endless stream of problems it will inevitably lead to, is a complete waste.
Just rewrite the queries to use placeholders, because sooner or later that's what you will end up having to do. Not only does it solve all problems related to SQL injection and special characters, it also makes your code easier to read and maintain. With most databases it will even improve performance.
And no, it's not difficult either. Just replace this
my $sth = $dbh->prepare(" SELECT * FROM foo WHERE bar=$qstring1 AND baz=$qstring2 "); $sth->execute();
with this
my $sth = $dbh->prepare(" SELECT * FROM foo WHERE bar=? AND baz=? "); $sth->execute($string1, $string2);
...it's really that simple!
Now, if you really REALLY must quote each variable because you have to build the queries on the fly, don't do the quoting yourself using regular expressions. Instead, use the DBD "quote" method conveniently provided for you. The following code works for simple cases:
my %quoted = map { $_ => $dbh->quote($params{$_}) } keys %params;It produces a copy of the original hash, with all values properly quoted for safe use by the database you happen to be working with.
Time flies when you don't know what you're doing
In reply to Re: Escaping %params
by FloydATC
in thread Escaping %params
by DaisyLou
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |